> For the complete documentation index, see [llms.txt](https://docs.vergeos-demo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vergeos-demo.com/knowledge-base/networking/ipsec-example-tenant-nat-ui-ip.md). # IPsec Configuration Example - Tenant/NAT The following example configures an IPsec peer within a VergeOS tenant. In this example, the dedicated IP address used for accessing the tenant UI is also used for the IPsec tunnel, with NAT rules in place to direct tunnel traffic appropriately. {% hint style="info" %} **This example pertains to a tenant using a dedicated IP address; tenants using a shared address (via proxy/PAT rules) will require different configuration.** {% endhint %} {% hint style="info" %} **IPsec is a complex framework that supports a vast array of configuration combinations with many ways to achieve the same goal, making it impossible to provide one-size-fits-all instructions. Sample configurations are given for reference and should be tailored to meet the particular environment and requirements.** {% endhint %} {% hint style="success" %} **Consult the** [**IPsec Product Guide Page**](/run-the-platform/vpn/ipsec.md) **for step-by-step general instructions on creating an IPsec tunnel.** {% endhint %} ## Host Configuration Assigning the UI address to a tenant automatically creates rules on the host system (external and tenant networks) to channel traffic appropriately. No further configuration should be needed on the host. {% hint style="info" %} **All configuration outlined below is done within the tenant system.** {% endhint %} ## VPN Network Configuration ![VPN Network Configuration](/files/fCXxcD9Ojxgj4kWu363r) ## Phase 1 ![Phase 1 Configuration](/files/y1tFbxkmjUGIlkd4bJPy) ## Phase 2 ![Phase 2 Configuration](/files/qGt5VJec9csDwwYEezhI) ## Default VPN Network Rules **Default Firewall Rules** - The following necessary firewall rules are **created automatically** when a VPN network is created: * **Allow IKE**: Accept incoming UDP traffic on port 500 to **My Router IP** * **Allow IPsec NAT-Traversal**: Accept incoming UDP traffic on port 4500 to **My Router IP** * **Allow ESP**: Accept incoming ESP protocol traffic to **My Router IP** * **Allow AH**: Accept incoming AH protocol traffic to **My Router IP** ![Review Rules](/files/b01RkFD0Bx2mVVLdZtwY) {% hint style="success" %} **These rules can be modified to restrict to specific source addresses, where appropriate.** {% endhint %} ## Additional VPN Network Rules Additional rules need to be created on our new VPN network: **VPN NAT Rule:** ![VPN NAT Rule](/files/3byaHBO8Q21FNWOMIlRD) {% hint style="success" %} **The incoming NAT rule must be moved to the top, before the *****Accept***** Rules. Instructions for changing the order of rules can be found in the Product Guide:** [**Network Rules - Change the Order of Rules**](/run-the-platform/networking/network-rules.md#change-the-order-of-rules) {% endhint %} **Default Route Rule:** ![VPN Default Route Rule](/files/3U086HtdpEm1W7fBE3pm) **VPN SNAT Rule:** ![VPN Nat Rule](/files/29ieyrm3g2ikHJ8FXxJe) ## External Network Rules Translate rules are necessary on the tenant's external network, to send IPsec traffic to the VPN network: **External UDP NAT Rule:** ![VPN Nat Rule](/files/1xtvCuvz4pbuLf5xxyrC) **External ESP NAT Rule:** ![VPN Nat Rule](/files/l90wnEcDnBHYgeWn7MpV) **External AH NAT Rule:** ![VPN Nat Rule](/files/SY7gv1ds6TwL0Kks1eqp) ## Connecting Internal Networks to the VPN Routing can be configured between the VPN network and other internal networks to provide tunnel access to those networks; see [How to Configure Routing Between Networks](/knowledge-base/networking/routing-between-internal-vergeio-networks.md). {% hint style="success" %} **New rules must be applied on each network to put them into effect.** {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vergeos-demo.com/knowledge-base/networking/ipsec-example-tenant-nat-ui-ip.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.